Presentation is loading. Please wait.

Presentation is loading. Please wait.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

Published byJulianna Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems."— Presentation transcript:

1 X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems of the public sector

2 ? Internet X-Road Internet
To secure the system, each party accesses X-Road via it’s Security Server Information systems need: SOAP or XMLRPC client + understanding of X-Road rules Traffic between Security Servers is encrypted with PKI. Security Servers have to be certified by X-Road Certification Authority X-Road Security Server is a standard software solution that encrypts/decrypts outgoing/ingoing messages, filters ingoing messages as a firewall, and logs messages it receives Certificates are available for verification from X-Road Central Servers. Central Servers are duplicated No redundant centralization: Security Servers create connections directly to each other Data from Central Servers is cached in Security Servers by use of DNSSEC Extra interface from every database to every information system would have been expensive... X-Road is a platform-independent secure standard interface between databases and information systems Database is adapted to X-Road by setting up Adapter Server, which contains: SOAP or XMLRPC server + X-Road rules There are various databases and information systems in different platforms with need to co-operate... Population Register (Progress) SOAP server SOAP client Security Server Internet X-Road Internet Security Server Citizen Business Register (Oracle) Citizen Portal SOAP server ? Security Server Security Server SOAP client Land Register (MSSQL) Information System of Company A Officers SOAP server Security Server Security Server Security Server SOAP client Motor Vehicle Register (Oracle) SOAP server Information System of Company B Officers more than 100 Databases... more than 1000 Information Systems... CA Central Servers

3 X-Road: Message on the road
Information System Security Server of DB checks whether the Information System is authorized for this method This is the second level of authorization If certificate was valid, the Security Server of DB sends its certificate back to finish creation of secure connection As secure channel has been created and other party verified, Security Server of IS sends signed message to Security Server of DB Security Server of DB sends signed response message to the Security Server of IS Security Server of IS opens TCP connection to the Security Server of DB and sends its certificate to start TLS security protocol Security Server of IS Security Server of DB sends the decrypted message to the Adapter Server Security Server of DB verifies signature of the message and logs the message Security Server of DB signs the response message Security Server of DB verifies over DNSSEC the certificate received from the Security Server of IS SOAP client Internet X-Road User (citizen or officer) Adapter Server commits the method call in the database Security Server of IS checks the signature of response message and logs the response message Finally, user receives response he/she requested! Security Server of IS sends decrypted response message to the Information System In addition to the message body with data for method call, the message contains also a message header with user’s Personal Code, the name of Information System, unique ID of the message etc. Security Server of IS verifies over DNSSEC the certificate received from the Security Server of DB Security Server of DB Whether user is identified by ID-card, password, face or something else is up to the Information System, provided that the way of identification is reliable The Security Server of IS asks over DNSSEC the Central Server for IP address of the Security Server(s) of DB As user chooses to call a method (usage of which is authorized by the Information System), a message with method call goes towards the Security Server Information System gives user access to methods user is authorized to use This is first level of authorization The Security Server signs the message with it’s private key User authenticates himself/herself Information System must be able to get to know the proper Personal Code of user Database SOAP server CA Central Servers

4 X-Road: Levels of authorization
If Database does not trust Information System to grant individual permissions, it has possibility to hold additional permission matrix on the granularity of individual users Permission matrix on the granularity of Information Systems is held by the Security Server of the Database Security Server of IS Information System SOAP client Internet X-Road User (citizen or officer) Permission matrix on the granularity of individual users is held by the Information System But this would be awful in case of hundreds of Information Systems with thousands of users! Information System is capable to grant permissions to its users only on those methods that Information System itself is authorized to use by permission matrix held by the Security Server of DB Database SOAP server Security Server of DB CA Central Servers

5 Internet X-Road X-Road: Trusted logs
Security Server of IS Information System With message given, it is always possible to check later the authenticity of the message – whether such a message really existed or not. As X-Road trusted logs cannot be broken, the result of the check is trustworthy XMLRPC client Security Server of DB logs messages coming from the Information Systems If evil administrator of any Security Server would even try to change the local log, the hash in Security Server does not match the hash in Central Servers any more! Therefore, the logs cannot be broken Internet X-Road User (citizen or officer) Security Server of IS logs response messages coming from the Databases Database XMLRPC server Both Security Servers hash their logs and send their hash chain periodically to the Central Servers Security Server of DB CA Central Servers

6 X-Road: A protocol with standard implementation provided
Any custom information system having specified security level may join X-Road Those institutions (companies) which do not have a secure information system of their own, are welcome to install standard Mini-InfoSystem-Portal (MISP) to gain access to X-Road

Download ppt "X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems."

Similar presentations

What is. Digital Certificate It is an identity.

What is. Digital Certificate It is an identity.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Access control for IP multicast T-110.557 Petri Jokela

Access control for IP multicast T Petri Jokela
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
MITP 458 Application Layer Security By Techjocks.

MITP 458 Application Layer Security By Techjocks.

Similar presentations

Ads by Google